b'                                                                E-IN-MMS-0102-2002-A\n\n\n             United States Department of the Interior\n\n                            Office of Inspector General\n                                  Washington, D.C. 20240\n\n\n\n                                                                           April 21, 2003\n\nMemorandum\n\nTo:        Director, Minerals Management Service\n\n\nFrom:      Roger La Rouche\n           Assistant Inspector General for Audits\n\nSubject:   Management Issues Identified During the Audit of the Mineral Management\n           Service\xe2\x80\x99s Fiscal Year 2002 Financial Statements (No. 2003-I-0044)\n\n        We contracted with KPMG LLP, an independent certified public accounting firm,\nto audit the Minerals Management Service\xe2\x80\x99s (MMS) financial statements as of September\n30, 2002 and for the year then ended. In conjunction with its audit, KPMG noted certain\nmatters involving internal control and other operational matters that should be brought to\nmanagement\xe2\x80\x99s attention. These matters, which are discussed in the attached letter, are in\naddition to those reported in KPMG\xe2\x80\x99s audit report on MMS\xe2\x80\x99s financial statements\n(Report No. 2003-I-0030) and do not constitute reportable conditions as defined by the\nAmerican Institute of Certified Public Accountants.\n\n        The recommendations will be referred to the Assistant Secretary for Policy,\nManagement and Budget for tracking of implementation, therefore your response should\nbe provided directly to that office. If you have any questions regarding KPMG\xe2\x80\x99s letter,\nplease contact me at (202) 208-5512.\n\n       Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the Office of\nInspector General to list this report in its semiannual report to the Congress.\n\n\n\nAttachment\n\ncc:     Assistant Secretary for Land and Minerals Management\n        Assistant Secretary for Policy, Management and Budget\n        Chief Financial Officer, Minerals Management Service\n        Director, Office of Financial Management\n        Comptroller, Minerals Management Service\n        Chief, Financial Management Branch, Minerals Management Service\n        Audit Liaison Officer, Land and Minerals Management\n        Audit Liaison Officer, Minerals Management Service\n        Focus Leader for Management Control and Audit Followup,\n        Office of Financial Management\n\x0cATTACHMENT\n\x0c       -\n\n\nPage       2\n\n\n\n\n               The detailed scan results (raw data) containing vulnerabl~ IP addresses were provided to MMS\n               network management.\n\n               Criteri~\n\n\n               0MB Circular A-130, "Security of Federal Automated Information Resources," states that\n               agencies are required to establish controls to assure adequate security of all information\n               processed, transmitted, or stored in Federal automated information systems. In every general\n               support system, a number of technical, operational, and management controls are used to prevent\n               and detect harm. Such controls include individual accountability, "least privilege," and\n               separation of duties. Individual accountability consists of holding someone responsible for\n               his/her actions. In a general support system, accountability is normally accomplished by\n               identifying and authenticating users of the system and subsequently tracing actions on the system\n               to the user who initiated them. Least privilege is the practice of restricting a user\'s access(to data\n               files, to processing capability, or to peripherals) or type of access (read, write, execute, delete) to\n               the minimum necessary to perform his job. Appendix ill also directs that Federal agencies to\n               follow the guidance of the National Institute of Standards and Technology (NIST).\n\n               ~\n               Vulnerability of the systems existed as a result of these contributing factors:\n               .Inadequate     firewall policy for the New Orleans site and contractor-managed router; and\n               .Inability    to apply software patches or disable unnecessary web server extensions in a\n                   reasonable amount of time.\n\n               ~\n\n               The vulnerabilities increase the risk that critical MMS systems, including those containing\n               business information, could be compromised or disabled by malicious or unauthorized use.\n               Excessive network services available through open ports and unpatched system software provide\n               unauthorized users with the potential for gaining access to the MMS internal network and then\n               proceeding to compromise system and network availability, confidentiality and integrity .\n\n               Recommendation\n\n\n               We recommend MMS management take the necessary steps to improve network security, which\n               should include, at a minimum:\n               a). Immediately closing the open ports which present a critical risk;\n               b). Conducting a detailed review of the scan results which have been provided by KPMG in\n                   order to determine if other open ports present vulnerabilities for the MMS Network;\n               c). Disabling or replacing vulnerable network services, including web server extensions. Use\n                   protocol filtering to permit only authorized machines to use network services (at router,\n                   switch, or firewall); and\n               d). Applying the latest vendor security patches for the Internet Information Server (US) web\n                   server.\n\x0c   -\n\n\nPage 3\n\n\n\n\n       2.   Improve     Controls   Related   to Prompt   Pay\n\n\n            Condition\n\n\n            Not all invoices for payment were paid within timelines prescribed within the Prompt Payment\n            Act. During our testing we noted significant improvements in the payment process and ensuring\n            the timely submission ofpayment. However, we noted that for 2 of the 247 sample items tested,\n            expenses were not promptly paid within the time period allotted, as specified by the Prompt\n            Payment Act (5CFR Part 1315) and the Federal Acquisition Regulation, Paragraph 52.232-25,\n            and interest payments to the vendor were not made for these items. The total value of these items\n            was $118,796 and the associated unpaid interest was approximately $670. When you project this\n            error to the remaining population, our estimate of the unpaid interest in the remaining population\n            is approximately $14,306.\n\n            Criteria\n\n\n            The Prompt Payment Act (5 CFR Part 1315) requires Federal agencies to pay expenses on a\n            timely basis, within 30 days of the latter of receipt of an invoice or delivery of goods/services. In\n            the event expenses are not paid within the allotted time period, the Prompt Payment Act further\n            states that interest penalties are to be assessedagainst the expense and due to vendors along with\n            payment.\n\n            ~\n\n            The approving official did not promptly send approved invoices for payment to the Financial\n            Management Branch. Timely receipt of the approved invoice by FMB is imperative for\n            complying with the regulations set forth in the Prompt Payment Act and the Federal Acquisition\n            Regulation. The Financial Management Branch did not pay interest on the two delinquent\n            payments noted in the condition due to management oversight.\n\n            ~\n\n            Failure to make timely payments could, if determined to have a direct and material impact, result\n            in a non-compliance with laws and regulations.\n\n            Recommendation\n\n            We recommend that management ensure that the Procurement Division promptly submits\n            approved vendor invoices to the Financial Management Branch to ensure payments are made in\n            accordance with the Prompt Payment Act and Federal Acquisition Regulation. fu the event\n            invoices are not submitted in a timely fashion, the Financial Management Branch should\n            calculate the interest expense incurred for non-compliance with the Prompt Pay Act and submit\n            interest payments to vendors accordingly and promptly.\n\x0c       -\n\n\nPage       4\n\n\n\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements,\nand therefore may not bring to light all weaknesses in policies or procedures that may exist. We aim,\nhowever, to use our knowledge ofMMS gained during our audit to make comments and suggestions that\nwe hope will be useful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThis report is intended solely for the information and use of Department of the Interior\'s management,\nDepartment of the Interior\'s Office of the Inspector General, Office of Management and Budget and the\nU.S. Congress, and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\nVery truly yours,\n\n\n\n                    LL-P\n\x0c'